When news broke in November 2025 that South Korea’s largest e-commerce platform Coupang had suffered a data breach, the initial reports seemed manageable. The company disclosed that around 4,500 accounts were affected. Within days, however, investigators revealed the true scale. The breach had compromised the personal information of 33.7 million customers, more than half of South Korea’s population. This was not just another cyber incident. It was the largest personal data leak in the country’s history and a textbook case of how insider threats can devastate even the most powerful enterprises (CPO Magazine).
What Was Exposed
The compromised data included names, phone numbers, email addresses, delivery addresses, and some order histories. Coupang stressed that payment details and passwords were not leaked, but the sheer volume of personal identifiers was staggering. For millions of customers, this meant their shopping habits and personal details were suddenly vulnerable to phishing scams, identity theft, and fraud. The breach was not only about numbers. It was about trust, and that trust was shattered.
How It Happened: The Insider Angle
Investigators quickly uncovered that the breach was not the work of an external hacker but rather an insider driven incident. A former Coupang IT engineer allegedly retained access to authentication keys after leaving the company. These keys were valid for five to ten years, a shocking lapse in security hygiene. With such long lifespans, they became a structural weakness in Coupang’s defenses. The ex-employee reportedly used one of these keys to generate valid tokens, bypass login controls, and access internal systems without raising alarms (CSO Online).
This is a classic insider threat scenario. Unlike external attackers, insiders know where vulnerabilities lie and how to exploit them. In this case, the attacker rotated IP addresses and used legitimate tokens, making detection nearly impossible. For months, the activity blended in with normal operations until the scale of exfiltration became undeniable (SearchInform).
The Fallout
The breach triggered immediate and severe consequences. South Korean police raided Coupang’s headquarters in December 2025, seizing internal records and investigating lapses in access control (UPI). Coupang’s CEO Park Dae-jun resigned shortly afterward, apologizing publicly and taking responsibility for the incident (UPI).
Customers launched class action lawsuits, with potential compensation claims exceeding two billion dollars. Daily active users dropped by more than a million, while competitors saw surges in new sign-ups. The breach became a national issue, with South Korea’s president calling for harsher penalties for companies that fail to protect consumer data (Devdiscourse).
Lessons for Enterprises Worldwide
The Coupang breach is not just a South Korean story. It is a global warning about the dangers of insider threats and weak access management. Several lessons stand out:
- Key rotation is essential. Authentication keys should never remain valid for years. Regular rotation reduces the risk of misuse.
- Immediate access revocation. Former employees must lose all system access the moment they leave. Delays create opportunities for exploitation.
- Insider threat monitoring. Behavioral analytics and anomaly detection can help spot unusual access patterns before they escalate.
- Transparency matters. Coupang’s initial underreporting damaged its credibility further. Enterprises must be upfront about breaches to maintain trust.
- Culture of accountability. Security is not just about technology. It is about leadership, governance, and a culture that prioritizes protection of customer data.
Why This Breach Resonates
Coupang’s breach resonates because it highlights the human side of cybersecurity. It was not a faceless hacker in a distant country. It was a former employee who exploited weak policies and long-lived keys. This makes the incident relatable and alarming. Every enterprise has employees who leave. Every enterprise manages keys and tokens. The difference lies in whether those processes are airtight or vulnerable.
For South Korea, the breach has become a turning point. Regulators are pushing for stricter penalties, and customers are demanding accountability. For the rest of the world, it is a reminder that insider threats are not hypothetical. They are real, and they can be catastrophic.
Closing Thoughts
The Coupang breach is more than a cybersecurity failure. It is a human story about trust, responsibility, and the consequences of neglecting basic security hygiene. For millions of South Koreans, the incident is a reminder that their personal data is only as safe as the systems that guard it. For enterprises worldwide, it is a wake-up call to treat insider threats with the seriousness they deserve. The lesson is clear. Security is not just about keeping outsiders out. It is about ensuring insiders cannot misuse the trust they once held.
Sources:
CPO Magazine
CSO Online
SearchInform
UPI – Police Raid
UPI – CEO Resignation
Devdiscourse
